Groovy for System Administrators

© 2014 SpringOne 2GX. All rights reserved. Do not distribute without permission.

Groovy for System Administrators

By Dan Woods

Who Am I?

2

f

@danveloper /danveloper #author

[email protected]

Who Am I?

3


4

System administration is a multi-faceted problem

domain, not dissimilar from software development.

- Me


5

At a high level, System Administration is about…

Provisioning

Deployment

Management


6

Provisioning…

• “Building” the server

• Creating the installation media

• Installing the OS on the server


7

Deployment…

• Getting our app on the server

• Making sure it runs there

• Managing environment dependencies


8

Management…

• Maintaining user accounts/access

• Managing resource authorization

• Designing security protocols


9

What about…

• Docker?

• Chef?

• Puppet?

• Ansible?

• Packer?

• Salt?

• CFEngine?

• Synctool?

• Rex?

• Rundeck?

• STAF?

• Server CM of the week?


10

A Disjointed Process

• CM setup just hopes that you’ve

done everything right to start with

• The CM agent requires different

requisite config than just OS

installation

• May leave your server in an

unknown state if the process

didn’t succeed for some reason

Pre-provisioned server

Agent-based post-install

configuration

OS installation

Server provisioning and configuration

?


11

We need to rethink the way that we build and work

with server environments.

- Me


12

Environment Considerations

• Disaster Recovery

• Auditing

• Forensics


13

We need to be able to rapidly recover and reproduce

an environment from configuration and archives

alone.

- Me


14

Immutable Infrastructure

• Every new version of software gets a new server

• Servers are ephemeral entities in the infrastructure

• Pragmatic for adopting a software-defined network


15

Building Servers with Gradle

• Programmatic solution to supporting immutable infrastructure

• Servers are version controlled and archived

• "Builds" (ie. servers) can be archived for recovery and

reconstitution

• Continuous Integration, Continuous Delivery, Continuous

Deployment


16

Gradle Provisioning Plugin

https://github.com/danveloper/provisioning-gradle-plugin







17

Gradle Provisioning Plugin

• Provides a DSL to Gradle to represent a server's

configuration

• Support for Continuous Integration and Continuous

Deployment

• Continuous Delivery can be achieved through your CI

system


18

Provisioning and Deployment through CI

Web App Build Job

Provisioning &

Deployment Job Smoke Tests

Production Deploy

Build


19

Authentication Hacking with Groovy


20

Pluggable Authentication Module

• Account Details

• Authentication

• Password Changes

• Session Interaction


21

Common PAM Modules

• LDAP (pam_ldap)

• Active Directory

• Radius

• … etc, etc, etc.


22

Why not let the software infrastructure manage the

server’s authentication strategy?

- Me


23

Why not Spring Security through a Grails application?

- Me


24

PAM Module: pam_exec.so

• Allows an external system script to provide for any layer of

the PAM stack


25

PAM Account & Authentication with Grails

Add to /etc/pam.d/login

Create /etc/security/onauth script and mark it executable:

auth sufficient pam_exec.so debug expose_authtok /etc/security/onauth

account sufficient pam_exec.so /etc/security/onaccount

#!/bin/sh

pass=`cat`;

result=$(curl -s -d "user=$PAM_USER&pass=$pass" http://192.168.0.106:8080/auth)

if [ "$result" != "success" ]; then

exit 1;

else

/usr/sbin/useradd $PAM_USER -m -k /etc/skel

exit 0;

fi


26

Kernel Hacking with Groovy


27

Kernel Space IPC with Userland Groovy

Kernel Memory

Kernel Processes

Userland Memory

Userland Processes

procfs

netlink

mmap

udp


28

Groovy as a Rules Engine for `mkdir`

MKDIR

syscall

table

mkdir_code

filesystem

mkdir()

__NR_mkdir


29

Groovy as a Rules Engine for `mkdir`

MKDIR

syscall

table

original

mkdir_code

filesystem

mkdir()

intercepted

mkdir_code


30

Other Considerations for Kernel Hacking

• Intelligent Packet Inspection (a la IDS)

• Network Manipulation (via netlink interface)

• Packet tagging and external tracking

• User and application oriented metrics gathering


31

Questions?

Software

Groovy for System Administrators